CTS 131: 802.11 Authentication and Association

What frame exchanges are part of a device joining an SSID?

CWS & CWT Book Giveaway

We’re raffling off a two bundles of the CWS & CWT books from CWNP. Two winners will get a copy of each book. If you’re getting into Wi-Fi or would like to know the fundamentals so you can sell Wi-Fi then this is a good resource to use. All you have to do is fill out the form below.

Meet Dustin Johnson

Our feature wireless engineer for this episode is Dustin Johnson. We ran into him at Cisco Live by accident and he happens to be a listener of the show! Listen to the episode to hear him answer François’ 10 questions.

Dustin Johnson of Wal-Mart

802.11 Authentication and Association

How does the station (STA) and access point agree to this connection? We’re going to break down the steps and the frames that are part of a STA connecting to an access point.

We have one STA connecting to an open SSID. The summary of it all is as follows:

  • STA is unauthenticated and unassociated
  • STA becomes authenticated and unassociated
  • STA becomes authenticated and associated
  • STA clears security requirements such as 802.1X, if required

Summary of frame exchanges

Beacon/Probe

The STA begins the process by performing a passive or active scan. In passive mode, the STA is listening for beacons from an access point. The beacon frame contains the BSSID which is the MAC address of the radio sourcing from the access point.
The beacon frame is a type of management frame defined in 802.11-2016. It includes capability information and parameters.

A probe is sourced from the STA requesting to join a wireless network. This is a probe request management frame. The probe is responded by an access point using a probe response management frame.

Frame exchange in 802.11 authentication and association

Authentication

The probing/scanning phase is part of the unauthenticated and unassociated step. The STA has not authenticated with the access point and also is not associated with the access point. Think of authentication as plugging a computer into a port on a switch.

The STA must be authenticated to the access point before it is associated. It sounds backwards. These are the two states in this phase and it must be done in this order.

  • Unauthenticated or authenticated.
  • Unassociated or associated.

To begin the Authentication step, the STA sends an Authentication wireless management frame to the access point. The access point responds with an Acknowledgement frame.

The access point will acknowledge the Authentication frame from the STA and upon successful authentication, the access point will send an authentication frame to the STA with an Authentication Sequence with a State of 2, for success.

Access point sends an Authentication frame with a state of 2, for Successful.

Association

Once the STA is authenticated to the access point, the next step is to become Associated. The Association occurs after the Shared Key Authentication or Open System Authentication Algorithm. There cannot be a STA that is Associated but not Authenticated. If the STA fails Authentication, it does not move to Association.

After the the access point sends an Acknowledgement to the STA’s Authentication Response, the STA sends an Association Request.

The Association Request is Acknowledged by the access point which then sends an Association Response frame to the STA.

If the association is successful, the access point’s Association Response frame will contain a Status code: Successful.

The details within an Association Response include:

  • Capabilities Information such as
    • Supported Data Rates
    • HT Capabilities
    • HT Information such as the Primary Channel
    • WMM information
    • And more..

If the Status code is anything other than Successful, then the STA is deauthenticated.

Links And Resources

Join Clear To Send

Come join the Clear To Send community.

Powered by ConvertKit
About the Author
Rowell, CWNE #210, is a network engineer in Higher-Ed. He enjoys working with wireless networking technologies and loves to share and engage with the community. You can connect with him on Twitter, LinkedIn, and Facebook.

2 comments on CTS 131: 802.11 Authentication and Association

  1. Shaun D. Cohl says:

    Rowell,

    I wanted to take a moment and offer my most sincerist thanks, appreciation and respect to the work you do.

    There are a lot of bloggers out there and I hav been in this game since before 802.11 had “b” after it, 20 + years or so. You truely add tremendous value to the wireless community and you offer you time, expertise and resources which I know you do addition to your day job.

    Keep it up you ROCK!

    -Shaun

    1. Rowell says:

      Hi Shaun. Thanks so much for your comment! Greatly appreciated 🙂

      It helps us to keep creating the content we create. We’re always trying to provide as much value to our listeners.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.